{"id":12238,"date":"2019-12-06T14:37:43","date_gmt":"2019-12-06T13:37:43","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=12238"},"modified":"2020-02-04T16:46:37","modified_gmt":"2020-02-04T15:46:37","slug":"cybersecurity-transformation-agile","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2019\/12\/cybersecurity-transformation-agile\/","title":{"rendered":"Transformations agiles des organisations: vers un changement structurel d&#8217;approche pour la cybers\u00e9curit\u00e9"},"content":{"rendered":"<p><em>Face aux transformations digitales agiles imposant la fourniture rapide et fiable de services IT \u00e0 travers de nouvelles cha\u00eenes de production applicative, les \u00e9quipes SSI doivent adapter leur organisation, leur processus et leur outillage pour assurer une prise en compte des enjeux de s\u00e9curit\u00e9 continue. Pragmatisme et adaptabilit\u00e9 seront les ma\u00eetres mots pour faire de l\u2019agilit\u00e9 le catalyseur d\u2019une \u00e9volution positive dans la prise en compte des enjeux de la cybers\u00e9curit\u00e9.<\/em><\/p>\n<p><em>A travers cette s\u00e9rie d\u2019articles, nous pr\u00e9senterons nos convictions pour permettre aux \u00e9quipes SSI de mener cette transformation en profondeur.<\/em><\/p>\n<p>&nbsp;<\/p>\n<h2>La transformation num\u00e9rique implique l&#8217;usage d&#8217;une nouvelle m\u00e9thode de delivery IT<\/h2>\n<p>A l\u2019heure des transformations num\u00e9riques, les organisations doivent faire face \u00e0 3 principaux d\u00e9fis\u00a0:<\/p>\n<ul>\n<li><strong>Innover<\/strong> plus rapidement pour faire face \u00e0 la comp\u00e9tition.<\/li>\n<li><strong>S\u2019adapter<\/strong> rapidement au changement avec plus de flexibilit\u00e9 afin de mieux g\u00e9rer l\u2019incertitude et la complexit\u00e9.<\/li>\n<li>Mieux <strong>combiner<\/strong> les comp\u00e9tences IT et m\u00e9tier pour maximiser la valeur produit.<\/li>\n<\/ul>\n<p>Dans ce contexte, les m\u00e9thodes agiles repr\u00e9sentent par leur approche de d\u00e9veloppement it\u00e9ratif, incr\u00e9mental et adaptatif, la promesse d\u2019une organisation plus fluide en\u00a0permettant de\u00a0:<\/p>\n<ul>\n<li><strong>R\u00e9duire les d\u00e9lais entre l\u2019expression de besoin m\u00e9tier et l\u2019ouverture du service idoine <\/strong>(\u00ab\u00a0Time to Value\u00a0\u00bb) : les fonctionnalit\u00e9s d\u00e9velopp\u00e9es \u00e0 chaque \u00e9tape (sprint) sont op\u00e9rationnelles et potentiellement utilisables.<\/li>\n<li><strong>Maitriser les risques et le niveau de qualit\u00e9<\/strong>: l\u2019approche it\u00e9rative et incr\u00e9mentale de l\u2019agile permet de r\u00e9colter un maximum d\u2019apprentissage (\u00ab\u00a0test and learn\u00a0\u00bb) en un minimum d\u2019effort.<\/li>\n<li><strong>Augmenter la productivit\u00e9 et la collaboration entre les diff\u00e9rentes \u00e9quipes en donnant du sens \u00e0 leur travail<\/strong> : en cassant les silos organisationnels, les interactions entre l\u2019IT et les m\u00e9tiers s\u2019intensifient et am\u00e9liorent l\u2019engagement autour du projet et les boucles d\u2019am\u00e9lioration continue.<\/li>\n<li><strong>S\u2019adapter rapidement aux changements<\/strong>: avec la possibilit\u00e9 de changer \u00e0 tout moment en cas d\u2019\u00e9volution des besoins ou de mauvais feedbacks.<\/li>\n<\/ul>\n<p>Parce que les m\u00e9thodes agiles bouleversent les fa\u00e7ons de prendre des d\u00e9cisions et l\u2019organisation, de nouvelles questions se posent autour de l\u2019articulation de la s\u00e9curit\u00e9 dans des organisations agiles :<\/p>\n<ul>\n<li>Comment <strong>r\u00e9inventer l\u2019int\u00e9gration de la s\u00e9curit\u00e9 dans les projets<\/strong> pour s\u2019adapter \u00e0 une livraison it\u00e9rative\u00a0?<\/li>\n<li>Comment <strong>soutenir le passage \u00e0 l\u2019\u00e9chelle\u00a0<\/strong>? Comment structurer les \u00e9quipes de s\u00e9curit\u00e9 pour assurer la s\u00e9curit\u00e9 dans l\u2019agile \u00e0 l\u2019\u00e9chelle\u00a0?<\/li>\n<li>Au-del\u00e0 du support sur les projets, <strong>comment l\u2019organisation et les processus majeurs SSI<\/strong> \u00e9voluent-ils pour fonctionner dans le nouveau mod\u00e8le op\u00e9rationnel agile de l\u2019entreprise\u00a0?<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>L\u2019adoption des m\u00e9thodes agiles impose une refonte du processus d\u2019int\u00e9gration de la s\u00e9curit\u00e9 dans les projets<\/h2>\n<p><a href=\"https:\/\/www.wavestone.com\/app\/uploads\/2017\/09\/2017-SyntheseDEVOPS_VF_WEB.pdf\">L\u2019adoption des m\u00e9thodes agiles repr\u00e9sente une v\u00e9ritable rupture dans l&#8217;organisation du travail.<\/a> Le cycle it\u00e9ratif de d\u00e9veloppement et la fr\u00e9quence de livraison exigent que <strong>toutes les \u00e9quipes qui gravitent<\/strong> <strong>autour<\/strong> du produit <strong>soient align\u00e9es<\/strong> et impose donc au RSSI de trouver <strong>l\u2019articulation id\u00e9ale entre agilit\u00e9 et s\u00e9curit\u00e9.<\/strong><\/p>\n<p>Dans les m\u00e9thodes de gestion de projets traditionnelles, la s\u00e9curit\u00e9 est impl\u00e9ment\u00e9e de mani\u00e8re monolithique \u00e0 travers <strong>3 piliers<\/strong>\u00a0:<\/p>\n<ul>\n<li><strong>Evaluation des risques\u00a0:<\/strong> \u00e9valuation des besoins s\u00e9curit\u00e9 et du niveau d\u2019accompagnement SSI consenti pour g\u00e9rer les risques identifi\u00e9s.<\/li>\n<li><strong>Accompagnement\u00a0:<\/strong> accompagnement des \u00e9quipes de d\u00e9veloppement et d\u2019infrastructure dans la conception et l\u2019impl\u00e9mentation des mesures de s\u00e9curit\u00e9.<\/li>\n<li><strong>Contr\u00f4le\u00a0:<\/strong> r\u00e9alisation de recette s\u00e9curit\u00e9 pour valider la r\u00e9sorption des risques de s\u00e9curit\u00e9 et valider la mise en production.<\/li>\n<\/ul>\n<p>L\u2019int\u00e9gration de la s\u00e9curit\u00e9 dans les processus agiles doit pouvoir s\u2019appuyer sur ces 3 piliers mais il est n\u00e9cessaire que les \u00e9quipes SSI <strong>revoient leur approche<\/strong> pour s\u2019adapter aux nouvelles m\u00e9thodes de delivery.<\/p>\n<p>Vous trouverez dans cet article, <strong>4 facteurs cl\u00e9s de succ\u00e8s<\/strong> pour r\u00e9ussir \u00e0 transposer le processus d\u2019ISP dans une d\u00e9marche agile.<\/p>\n<figure id=\"post-12286 media-12286\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-12286\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Diapositive1_rognee.png\" alt=\"\" width=\"1033\" height=\"557\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Diapositive1_rognee.png 1033w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Diapositive1_rognee-354x191.png 354w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Diapositive1_rognee-768x414.png 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Diapositive1_rognee-71x39.png 71w\" sizes=\"auto, (max-width: 1033px) 100vw, 1033px\" \/><\/figure>\n<figure id=\"post-12278 media-12278\" class=\"align-none\"><\/figure>\n<figure class=\"align-none\"><\/figure>\n<figure id=\"post-12246 media-12246\" class=\"align-none\"><\/figure>\n<figure id=\"post-12241 media-12241\" class=\"align-none\"><\/figure>\n<h3><strong>1. Evaluer le niveau d\u2019accompagnement SSI tout au long du cycle de d\u00e9veloppement agile<\/strong><\/h3>\n<p><strong>L\u2019appr\u00e9ciation de la sensibilit\u00e9<\/strong> d\u2019un projet est une premi\u00e8re \u00e9tape incontournable pour prioriser et optimiser les efforts des \u00e9quipes SSI. Dans une d\u00e9marche agile, cette \u00e9valuation ne doit plus uniquement \u00eatre r\u00e9alis\u00e9e en amont du projet, mais bien <strong>tout au long du cycle de d\u00e9veloppement.<\/strong> Chaque produit doit donc poss\u00e9der un <strong>passeport s\u00e9curit\u00e9<\/strong>, qui sera mis \u00e0 jour sur une base r\u00e9guli\u00e8re (ex\u00a0: tous les 3-6 mois) et lors de d\u00e9veloppement de fonctionnalit\u00e9s induisant de nouveaux besoins en s\u00e9curit\u00e9.<\/p>\n<p>Le niveau d\u2019accompagnement des \u00e9quipes SSI sera d\u00e9termin\u00e9 en tenant compte de la <strong>sensibilit\u00e9 SSI des fonctionnalit\u00e9s d\u00e9velopp\u00e9es <\/strong>lors des prochains sprints et du <strong>niveau de maturit\u00e9 de la Squad en mati\u00e8re de cybers\u00e9curit\u00e9.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3><strong>2. Adopter une approche Security by Design<\/strong><\/h3>\n<p>Pour faciliter l\u2019approche\u00a0<strong>Security by Design<\/strong>, les exigences SSI devront \u00eatre int\u00e9gr\u00e9es <strong>le plus t\u00f4t possible<\/strong> dans la conception du produit.<\/p>\n<p>Pour y parvenir, les \u00e9quipes SSI vont devoir traduire <strong>les mesures de s\u00e9curit\u00e9<\/strong> (r\u00e9f\u00e9renc\u00e9es dans des politiques et des standards SSI souvent m\u00e9connus des \u00e9quipes de d\u00e9veloppement) en <strong>\u00ab\u00a0security baseline\u00a0\u00bb,<\/strong> c&#8217;est \u00e0 dire en un <strong>socle de bonnes pratiques applicables de fa\u00e7on syst\u00e9matique<\/strong> et conf\u00e9rant un <strong>niveau de protection minimum<\/strong>.<\/p>\n<p>Cela se traduit par une liste de \u00ab\u00a0<strong>security user stories<\/strong>\u00a0\u00bb, facilement manipulable par les d\u00e9veloppeurs, qui sera int\u00e9gr\u00e9e dans <strong>tous les backlogs produit.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3><strong>3. Traduire les sc\u00e9narios de risques en Evil User Stories<\/strong><\/h3>\n<p>De la m\u00eame fa\u00e7on que le Product Owner r\u00e9dige des User Stories pour d\u00e9crire de fa\u00e7on conversationnelle une attente exprim\u00e9e par un utilisateur, les \u00e9quipes s\u00e9curit\u00e9 vont devoir s\u2019adapter aux m\u00e9thodes agiles en <strong>exprimant les risques de fa\u00e7on conversationnelle<\/strong>\u00a0\u00e0 travers des<strong> Evil User Stories (EUS).<\/strong><\/p>\n<p>Les Evil User Stories permettent \u00e0 la s\u00e9curit\u00e9 d\u2019exprimer les intentions d\u2019un <strong>utilisateur malveillant<\/strong>.<\/p>\n<p>Une Evil User Story d\u00e9crit la r\u00e9alisation d\u2019un <strong>sc\u00e9nario de risque<\/strong> \u00e0 travers l\u2019identification d\u2019une\u00a0<strong>source de risque<\/strong> (attaquant externe\u00a0\/ collaborateur malveillant), exploitant une <strong>vuln\u00e9rabilit\u00e9<\/strong>, occasionnant un <strong>impact sur la valeur m\u00e9tier.<\/strong><\/p>\n<figure id=\"post-12251 media-12251\" class=\"align-none\"><\/figure>\n<figure id=\"post-12259 media-12259\" class=\"align-none\"><\/figure>\n<figure id=\"post-12280 media-12280\" class=\"align-none\"><\/figure>\n<figure id=\"post-12288 media-12288\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-12288\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Diapositive2_rognee.png\" alt=\"\" width=\"1032\" height=\"502\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Diapositive2_rognee.png 1032w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Diapositive2_rognee-393x191.png 393w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Diapositive2_rognee-768x374.png 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Diapositive2_rognee-71x35.png 71w\" sizes=\"auto, (max-width: 1032px) 100vw, 1032px\" \/><\/figure>\n<p>Pour chaque EUS, des mesures de s\u00e9curit\u00e9 (Security User Stories) permettant de mitiger les risques sont identifi\u00e9es et int\u00e9gr\u00e9es au backlog.<\/p>\n<p><strong>Les Security User Stories peuvent \u00eatre d\u00e9finies \u00e0 plusieurs \u00e9tapes du cycle :<\/strong><\/p>\n<ul>\n<li>Lors de l&#8217;\u00e9valuation initiale des risques au lancement du produit.<\/li>\n<li>Au fil des it\u00e9rations\u00a0: d\u00e8s lors qu\u2019une user story m\u00e9tier induisant des risques SSI est identifi\u00e9e.<\/li>\n<li>Lors des phases de contr\u00f4le\u00a0: d\u00e8s qu\u2019une vuln\u00e9rabilit\u00e9 est d\u00e9tect\u00e9e.<\/li>\n<\/ul>\n<p>Par rapport \u00e0 une analyse des risques en cycle en V, les Evil User Stories apportent <strong>des avantages cl\u00e9s en termes de s\u00e9curit\u00e9 : <\/strong><\/p>\n<ul>\n<li><strong>Les risques sont facilement compr\u00e9hensibles, car ils sont \u00e9nonc\u00e9s de mani\u00e8re conversationnelle\u00a0: <\/strong>aujourd&#8217;hui lorsqu\u2019on r\u00e9alise une analyse de risques, les risques que l\u2019on formalise ne vont pas forc\u00e9ment parler \u00e0 un m\u00e9tier ou \u00e0 un d\u00e9veloppeur. De cette fa\u00e7on, les risques sont compr\u00e9hensibles par tous les acteurs du projet et sont int\u00e9gr\u00e9s dans leur quotidien.<\/li>\n<li><strong>Les risques sont r\u00e9guli\u00e8rement mis \u00e0 jour chaque fois que le produit \u00e9volue\u00a0:<\/strong> la prise en compte des enjeux s\u00e9curit\u00e9 doit \u00eatre \u00e0 la fois continue et pragmatique et permettre ainsi une d\u00e9marche de r\u00e9duction incr\u00e9mentale du risque. Les Security User Stories sont prioris\u00e9es en fonction du risque r\u00e9el et le risque r\u00e9siduel reste acceptable tant que le produit est expos\u00e9 \u00e0 une poign\u00e9e d\u2019utilisateurs.<\/li>\n<li><strong>Le processus de rem\u00e9diation est facilement contr\u00f4lable\u00a0en examinant le backlog : <\/strong>la liste des Security User Stories est embarqu\u00e9e dans le backlog et trac\u00e9e dans un outil (ex\u00a0: Jira). C&#8217;est un vrai gain par rapport aux m\u00e9thodes traditionnelles qui ne permettaient pas toujours de suivre la bonne application des mesures de s\u00e9curit\u00e9.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><strong>4. Int\u00e9grer la s\u00e9curit\u00e9 dans les crit\u00e8res d\u2019acceptation des User Stories<\/strong><\/h3>\n<p>Dans un monde id\u00e9al, o\u00f9 la s\u00e9curit\u00e9 serait syst\u00e9matiquement embarqu\u00e9e, les \u00e9quipes s\u00e9curit\u00e9 n\u2019auraient pas forc\u00e9ment besoin d\u2019int\u00e9grer des Security User Stories au backlog produit.<\/p>\n<p>En effet, dans les m\u00e9thodes agiles, des <strong>crit\u00e8res d\u2019acceptation<\/strong> accompagnent chaque user story. Ils repr\u00e9sentent un <strong>ensemble de conditions<\/strong> (utilisabilit\u00e9, performance, etc\u2026) que la story doit satisfaire pour \u00eatre consid\u00e9r\u00e9e comme <strong>compl\u00e8te et termin\u00e9e<\/strong>. Ils sont r\u00e9dig\u00e9s par le Product Owner, en collaboration avec l\u2019\u00e9quipe de d\u00e9veloppement.<\/p>\n<p>Ainsi l\u2019\u00e9quipe s\u00e9curit\u00e9 pourrait profiter de ces conditions de satisfaction pour ajouter la <strong>liste des mesures de s\u00e9curit\u00e9 \u00e0 int\u00e9grer <\/strong>pour assurer la s\u00e9curit\u00e9 de chaque fonctionnalit\u00e9 d\u00e9velopp\u00e9e.<\/p>\n<p>Dans la r\u00e9alit\u00e9, ce n\u2019est jamais r\u00e9alis\u00e9 de cette fa\u00e7on (trop contraignant pour la Squad), d\u2019o\u00f9 la n\u00e9cessit\u00e9 de r\u00e9diger et int\u00e9grer des Security User Story au backlog produit.<\/p>\n<figure id=\"post-12282 media-12282\" class=\"align-none\"><\/figure>\n<figure id=\"post-12290 media-12290\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-12290\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Diapositive3_rognee.png\" alt=\"\" width=\"1030\" height=\"415\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Diapositive3_rognee.png 1030w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Diapositive3_rognee-437x176.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Diapositive3_rognee-768x309.png 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Diapositive3_rognee-71x29.png 71w\" sizes=\"auto, (max-width: 1030px) 100vw, 1030px\" \/><\/figure>\n<figure id=\"post-12255 media-12255\" class=\"align-none\"><\/figure>\n<h3><strong>5. Fournir des outils ludiques pour favoriser la prise en compte des enjeux SSI<\/strong><\/h3>\n<p>Parce que les membres au sein des Squad qui vont devoir identifier les Evil User Stories, n&#8217;ont pas forc\u00e9ment toutes les comp\u00e9tences pour le faire, nous avons d\u00e9velopp\u00e9 un jeu de cartes qui permet de rendre l\u2019exercice d\u2019analyse de risques plus concret et ludique.<\/p>\n<p><strong>Le jeu est compos\u00e9 de cartes, chacune ayant 2 faces\u00a0: <\/strong><\/p>\n<ul>\n<li>Recto\u00a0: les Evil User Stories d\u00e9crivent de fa\u00e7on tr\u00e8s p\u00e9dagogique ce qui peut mal se passer, en utilisant quelles vuln\u00e9rabilit\u00e9s (ex\u00a0: \u00e9l\u00e9vation de privil\u00e8ges sur un serveur Web, attaque par force brute, XSS, \u2026)<\/li>\n<li>Verso\u00a0: les Security User Stories d\u00e9crivent les mesures de s\u00e9curit\u00e9 \u00e0 impl\u00e9menter pour s\u2019assurer que l\u2019Evil User Story ne se produise pas (ex\u00a0: utilisation d\u2019un algorithme de chiffrement robuste AES 256\/512, \u2026).<\/li>\n<\/ul>\n<p><strong>Comment jouer\u00a0: <\/strong><\/p>\n<ul>\n<li>Il faut rassembler \u00e0 minima les membres de la Squad ayant une connaissance fonctionnelle de la solution (Product Owner) et une connaissance technique et des risques (r\u00e9f\u00e9rents s\u00e9curit\u00e9, d\u00e9veloppeurs, architectes).<\/li>\n<li>Les architectes dessinent l\u2019architecture applicative sur une grande affiche A3 sur une table en faisant apparaitre les flux de donn\u00e9es et la classification des donn\u00e9es et le Product Owner liste les prochaines User Stories qui devront \u00eatre d\u00e9velopp\u00e9es.<\/li>\n<li>Le r\u00e9f\u00e9rent s\u00e9curit\u00e9 (Security Champion) et les d\u00e9veloppeurs r\u00e9partissent les vuln\u00e9rabilit\u00e9s exploitables sur le sch\u00e9ma d\u2019architecture.<\/li>\n<li>Le Product Owner et le Security Champion qualifient l&#8217;impact que peut avoir chaque vuln\u00e9rabilit\u00e9.<\/li>\n<li>Le Security Champion et les d\u00e9veloppeurs v\u00e9rifient si les mesures de s\u00e9curit\u00e9 permettant de contrer les vuln\u00e9rabilit\u00e9s identifi\u00e9es sont d\u00e9j\u00e0 impl\u00e9ment\u00e9es.<\/li>\n<li>Si des mesures de s\u00e9curit\u00e9 ne sont pas encore en production\u00a0: Le Security Champion priorise les mesures techniques \u00e0 impl\u00e9menter permettant de couvrir les risques induits (risque pour l\u2019entreprise, pas seulement au niveau business).<\/li>\n<li>Le Product Owner priorise les autres mesures de s\u00e9curit\u00e9 au regard des risques business \/ et des moyens de l\u2019\u00e9quipe.<\/li>\n<\/ul>\n<p>Ce type de jeu permet de mobiliser l\u2019ensemble des parties prenantes dans l\u2019analyse des risques et d\u2019identifier les mesures de s\u00e9curit\u00e9 \u00e0 injecter dans le backlog.<\/p>\n<figure id=\"post-12612 media-12612\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-12612\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Article-1-illustrations-4.png\" alt=\"\" width=\"801\" height=\"656\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Article-1-illustrations-4.png 801w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Article-1-illustrations-4-233x191.png 233w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Article-1-illustrations-4-48x39.png 48w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Article-1-illustrations-4-768x629.png 768w\" sizes=\"auto, (max-width: 801px) 100vw, 801px\" \/><\/figure>\n<figure id=\"post-12284 media-12284\" class=\"align-none\"><\/figure>\n<figure id=\"post-12292 media-12292\" class=\"align-none\"><\/figure>\n<figure id=\"post-12257 media-12257\" class=\"align-none\"><\/figure>\n<p>A travers cet article, nous avons identifi\u00e9 4 premiers leviers pour int\u00e9grer la cybers\u00e9curit\u00e9 dans une d\u00e9marche agile\u00a0:<\/p>\n<ol>\n<li><strong>Le Passeport S\u00e9curit\u00e9<\/strong> pour \u00e9valuer le niveau d\u2019accompagnement SSI tout au long du cycle de d\u00e9veloppement agile<\/li>\n<li><strong>La traduction op\u00e9rationnelle de la Security Baseline<\/strong> pour assurer un niveau de protection minimum<\/li>\n<li><strong>Les Evil User Stories<\/strong> pour exprimer de fa\u00e7on simple et compr\u00e9hensible les sc\u00e9narios de risques<\/li>\n<li><strong>Des outils ludiques <\/strong>pour favoriser la prise en compte des enjeux SSI<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p>Dans les prochains articles, nous r\u00e9pondrons aux questions suivantes\u00a0:<\/p>\n<ul>\n<li>Comment soutenir le passage \u00e0 l\u2019\u00e9chelle\u00a0? Comment r\u00e9organiser l\u2019\u00e9quipe SSI\u00a0?<\/li>\n<li>Comment assurer un bon niveau de contr\u00f4le s\u00e9curit\u00e9\u00a0?<\/li>\n<li>Au-del\u00e0 du support sur les projets, comment l\u2019organisation et les processus majeurs SSI doivent-ils \u00e9voluer pour fonctionner dans le nouveau mod\u00e8le op\u00e9rationnel agile de l\u2019entreprise ?<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Face aux transformations digitales agiles imposant la fourniture rapide et fiable de services IT \u00e0 travers de nouvelles cha\u00eenes de production applicative, les \u00e9quipes SSI doivent adapter leur organisation, leur processus et leur outillage pour assurer une prise en compte&#8230;<\/p>\n","protected":false},"author":1357,"featured_media":12267,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"page-templates\/tmpl-one.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3223,36],"tags":[3219,3214,3215,3281],"coauthors":[3212,2605],"class_list":["post-12238","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-next-gen-it-security","category-cybersecurity-digital-trust","tag-agile-2","tag-isp-agile","tag-security-champion","tag-user-stories"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>La cybers\u00e9curit\u00e9 dans les transformations agiles des organisations<\/title>\n<meta name=\"description\" content=\"Face aux transformations digitales agiles imposant la fourniture rapide et fiable de services, les \u00e9quipes SSI doivent adapter leur organisation.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"La cybers\u00e9curit\u00e9 dans les transformations agiles des organisations\" \/>\n<meta property=\"og:description\" content=\"Face aux transformations digitales agiles imposant la fourniture rapide et fiable de services, les \u00e9quipes SSI doivent adapter leur organisation.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/\" \/>\n<meta property=\"og:site_name\" content=\"RiskInsight\" \/>\n<meta property=\"article:published_time\" content=\"2019-12-06T13:37:43+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-02-04T15:46:37+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Fotolia_73234673_Subscription_Monthly_XXL-apoule.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"3873\" \/>\n\t<meta property=\"og:image:height\" content=\"3873\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Vincent Nguyen\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Vincent Nguyen\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/\"},\"author\":{\"name\":\"Vincent Nguyen\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/836af2ef2be74699a7090c74f4465aa7\"},\"headline\":\"Transformations agiles des organisations: vers un changement structurel d&#8217;approche pour la cybers\u00e9curit\u00e9\",\"datePublished\":\"2019-12-06T13:37:43+00:00\",\"dateModified\":\"2020-02-04T15:46:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/\"},\"wordCount\":2101,\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Fotolia_73234673_Subscription_Monthly_XXL-apoule.jpg\",\"keywords\":[\"agile\",\"ISP agile\",\"security champion\",\"user stories\"],\"articleSection\":[\"Cloud &amp; Next-Gen IT Security\",\"Cybersecurity &amp; Digital Trust\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/\",\"name\":\"La cybers\u00e9curit\u00e9 dans les transformations agiles des organisations\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Fotolia_73234673_Subscription_Monthly_XXL-apoule.jpg\",\"datePublished\":\"2019-12-06T13:37:43+00:00\",\"dateModified\":\"2020-02-04T15:46:37+00:00\",\"description\":\"Face aux transformations digitales agiles imposant la fourniture rapide et fiable de services, les \u00e9quipes SSI doivent adapter leur organisation.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/#primaryimage\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Fotolia_73234673_Subscription_Monthly_XXL-apoule.jpg\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Fotolia_73234673_Subscription_Monthly_XXL-apoule.jpg\",\"width\":3873,\"height\":3873,\"caption\":\"Simple light bulb conceptual icon with colorful gears inside. Vector illustration\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Transformations agiles des organisations: vers un changement structurel d&rsquo;approche pour la cybers\u00e9curit\u00e9\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"name\":\"RiskInsight\",\"description\":\"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants\",\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\",\"name\":\"Wavestone\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"width\":50,\"height\":50,\"caption\":\"Wavestone\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/836af2ef2be74699a7090c74f4465aa7\",\"name\":\"Vincent Nguyen\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/author\/vincent-nguyen\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"La cybers\u00e9curit\u00e9 dans les transformations agiles des organisations","description":"Face aux transformations digitales agiles imposant la fourniture rapide et fiable de services, les \u00e9quipes SSI doivent adapter leur organisation.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/","og_locale":"en_US","og_type":"article","og_title":"La cybers\u00e9curit\u00e9 dans les transformations agiles des organisations","og_description":"Face aux transformations digitales agiles imposant la fourniture rapide et fiable de services, les \u00e9quipes SSI doivent adapter leur organisation.","og_url":"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/","og_site_name":"RiskInsight","article_published_time":"2019-12-06T13:37:43+00:00","article_modified_time":"2020-02-04T15:46:37+00:00","og_image":[{"width":3873,"height":3873,"url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Fotolia_73234673_Subscription_Monthly_XXL-apoule.jpg","type":"image\/jpeg"}],"author":"Vincent Nguyen","twitter_misc":{"Written by":"Vincent Nguyen","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/#article","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/"},"author":{"name":"Vincent Nguyen","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/836af2ef2be74699a7090c74f4465aa7"},"headline":"Transformations agiles des organisations: vers un changement structurel d&#8217;approche pour la cybers\u00e9curit\u00e9","datePublished":"2019-12-06T13:37:43+00:00","dateModified":"2020-02-04T15:46:37+00:00","mainEntityOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/"},"wordCount":2101,"publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Fotolia_73234673_Subscription_Monthly_XXL-apoule.jpg","keywords":["agile","ISP agile","security champion","user stories"],"articleSection":["Cloud &amp; Next-Gen IT Security","Cybersecurity &amp; Digital Trust"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/","url":"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/","name":"La cybers\u00e9curit\u00e9 dans les transformations agiles des organisations","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/#primaryimage"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Fotolia_73234673_Subscription_Monthly_XXL-apoule.jpg","datePublished":"2019-12-06T13:37:43+00:00","dateModified":"2020-02-04T15:46:37+00:00","description":"Face aux transformations digitales agiles imposant la fourniture rapide et fiable de services, les \u00e9quipes SSI doivent adapter leur organisation.","breadcrumb":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/#primaryimage","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Fotolia_73234673_Subscription_Monthly_XXL-apoule.jpg","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Fotolia_73234673_Subscription_Monthly_XXL-apoule.jpg","width":3873,"height":3873,"caption":"Simple light bulb conceptual icon with colorful gears inside. Vector illustration"},{"@type":"BreadcrumbList","@id":"https:\/\/www.riskinsight-wavestone.com\/2019\/12\/cybersecurity-transformation-agile\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.riskinsight-wavestone.com\/en\/"},{"@type":"ListItem","position":2,"name":"Transformations agiles des organisations: vers un changement structurel d&rsquo;approche pour la cybers\u00e9curit\u00e9"}]},{"@type":"WebSite","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","name":"RiskInsight","description":"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants","publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization","name":"Wavestone","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","width":50,"height":50,"caption":"Wavestone"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/836af2ef2be74699a7090c74f4465aa7","name":"Vincent Nguyen","url":"https:\/\/www.riskinsight-wavestone.com\/en\/author\/vincent-nguyen\/"}]}},"_links":{"self":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/12238","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/users\/1357"}],"replies":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/comments?post=12238"}],"version-history":[{"count":12,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/12238\/revisions"}],"predecessor-version":[{"id":12614,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/12238\/revisions\/12614"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media\/12267"}],"wp:attachment":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media?parent=12238"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/categories?post=12238"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/tags?post=12238"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/coauthors?post=12238"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}